If you are one of the many IdPs that already supports CILogon, it is very easy to convert your CILogon configuration to a more general R&S configuration since the attribute requirements for CILogon are precisely those attributes required for support of R&S.

Software Requirements

The software requirements for the upgrade described here include Shibboleth IdP v2.3.4 or later. First read how to configure your Shibboleth IdP to support R&S before continuing.

Your current CILogon configuration probably looks something like this:

<afp:AttributeFilterPolicy id="releaseToCILogon">

  <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
      value="https://cilogon.org/shibboleth"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

Simply replace the CILogon entityID with the R&S entity attribute:

<afp:AttributeFilterPolicy id="releaseToRandS">

  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- this assumes your deployment of ePPN is non-reassigned, otherwise you MUST release ePTID as well -->
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
  <afp:AttributeRule attributeID="surname">
    <afp:PermitValueRule xsi:type="basic:ANY"/>
  </afp:AttributeRule>
</afp:AttributeFilterPolicy>

That's it, you're done. Congratulations, you've just given your users access to all R&S SPs.

To have your IdP added to the list of IdPs that support R&S, fill out this short form (just 6 questions) that declares your willingness and ability to support R&S. Once this is done, your IdP will be added to the list, normally within one business day.

  • No labels